From nobody@FreeBSD.org  Thu Feb  2 17:21:33 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C2EB31065672
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  2 Feb 2012 17:21:33 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id AD6418FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  2 Feb 2012 17:21:33 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q12HLXrF061443
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 2 Feb 2012 17:21:33 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q12HLXUf061436;
	Thu, 2 Feb 2012 17:21:33 GMT
	(envelope-from nobody)
Message-Id: <201202021721.q12HLXUf061436@red.freebsd.org>
Date: Thu, 2 Feb 2012 17:21:33 GMT
From: Hilko Meyer <hilko.meyer@gmx.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: security/php-suhosin 0.9.33 available with fix for a possible stack buffer overflow
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         164712
>Category:       ports
>Synopsis:       security/php-suhosin 0.9.33 available with fix for a possible stack buffer overflow
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ale
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 02 17:30:11 UTC 2012
>Closed-Date:    Fri Feb 03 09:05:28 UTC 2012
>Last-Modified:  Fri Feb  3 09:10:08 UTC 2012
>Originator:     Hilko Meyer
>Release:        
>Organization:
>Environment:
>Description:
Hi,

suhosin 0.9.33 was recently released. They found a possible security problem which is not in the default configuration.

Advisory:
http://seclists.org/fulldisclosure/2012/Jan/295

Changelog:
http://www.hardened-php.net/suhosin/changelog.html
2012.01.19: Version 0.9.33

Make clear that suhosin is incompatible to mbstring.encoding_translation=On
Stop mbstring extension from replacing POST handlers
Added detection of extensions manipulating POST handlers
Fixed environment variables for logging do not go through the filter extension anymore
Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory) 
Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
Removed crypt() support - because not used for PHP >= 5.3.0 anyway


>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ale 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu Feb 2 17:30:23 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=164712 
State-Changed-From-To: open->closed 
State-Changed-By: ale 
State-Changed-When: Fri Feb 3 09:05:14 UTC 2012 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=164712 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/164712: commit references a PR
Date: Fri,  3 Feb 2012 09:05:14 +0000 (UTC)

 ale         2012-02-03 09:04:56 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/php-suhosin Makefile distinfo 
   Log:
   Update to 0.9.33 release.
   PHP 4 is not supported.
   PHP 5.2 is not officially supported, but may work.
   
   PR:             ports/164712
   Submitted by:   Hilko Meyer <hilko.meyer@gmx.de>
   
   Revision  Changes    Path
   1.24      +3 -1      ports/security/php-suhosin/Makefile
   1.25      +2 -2      ports/security/php-suhosin/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
